[Editor's Note: SANS course on advanced pen testing (SEC660) teaches a lot of great, in-depth topics, including exploit development, network manipulation (NAC bypass, Scapy packet crafting, man-in-the-middle attacks, and more), and Python for pen testers with tons of hands-on exercises. The whole class culminates in a full-day, intense capture the flag event, where the winners earn a 660 challenge coin (which includes a cool cipher, natch).
But, when you teach a bunch of skills like that and hold a CtF on the last day, sometimes, a few students get a little too rambunctious in applying their new-found skills. At the risk of being indelicate, I'll come out and say it -- they try to cheat. By using their Python skills along with their MiTM capabilities, they try to snarf flags from other teams
And now, after nearly two weeks of intense analysis, detailed deliberation, and outright hand-to-hand combat, our esteemed judges emerge from their bunker, slightly bruised and battered, holding a single sheet of paper upon which, scrawled in blood, are the names of the winning entries to our annual Holiday Hacking Challenge.
In the background, a trumpet fanfare begins boldly proclaiming the announcement, with a scene that looks something like this:
Click here for the full video of the ceremony:http://www.youtube.com/watch?v=yixG8pfncOs
Go ahead and watch that video. It's brilliantly cut and really fun. Don't worry, we'll wait until you are finished with it. OK? Now that you've seen it, we'd
Great penetration testers, by their very nature, are a creative bunch. Our jobs involve finding flaws, tearing them apart carefully, and artfully explaining our results so an organization can better understand its risk and defend itself.
To provide an outlet for this creativity and to share tips, tools, techniques, and inspiration, SANS is excited to announce:
The SANS Spectacular Pen Test Video Contest
Also known as the SANS SPTVC (rolls off the tongue, now, doesn't it?), the idea here is to share some penetration testing insight, tip, trick, or technique that you've learned on your own or perhaps from a SANS Pen Test Course. Or, you could make an inspirational video about the importance of penetration testing done properly. Record it in video format, edit as you see fit, send it in, and we'll pick the best to win a fine prize. We'll have winners in each of the following categories:
1) Most useful tip
2) Highest production values (with a
by Ed Skoudis
This morning, I had the honor of presenting at DerbyCon. My talk focused on the ability to cause physical impact through hacking computers and networks. I call it "Kinetic Pwnage". The slides are available below, and the talk touches on several themes of the recent work my team and I have focused on, including CyberCity, a miniature city with a real power grid and other computer controlled components used to build capabilities of cyber warriors.
By the way, right after the talk, lotsa people asked me how they could do CyberCity missions. If you are interested in participating in CyberCity missions hands-on, we'll be running our first ever CyberCity missions at a public conference event during the SANS Pen Test Hackfest Summit & Training event, in Washington DC on November 7-14. If you take a full six-day class there, you can join us for one whole evening of CyberCity missions hands-on, plus four evenings devoted to NetWars. Oh,
By Ed Skoudis
Over the past month or so, I've been pondering a phenomenon and some of its implications, running the idea by some of my friends to spur some interesting conversations. I've spoken with penetration testers, security researchers, military planners, forensics experts, defensive operators, incident response specialists, red teamers, blue teamers, and a variety of security curmudgeons about it. The idea is this: at sufficiently advanced technical levels, offense and defense sometimes merge and become one. Offensive techniques can be used to achieve defensive ends; defensive means can be used to achieve offensive ends; and, sometimes, the inherent technical skills of offense and defense are actually identical. I don't claim that this is a particularly new idea, but I do think that it can be fun to contemplate and is perhaps useful. Let me tell you how I came to this observation, and then expand on some examples and implications.
While I was at the RSA